Indiana enacts comprehensive data privacy law

Indiana has joined the increasing number of states enacting more comprehensive data privacy laws, with Senate Bill 5 (SB 5)’s “Article 15. Consumer Data Protection” poised to take effect on January 1, 2026. Although SB 5 passed both the House and Senate unanimously, because the privacy law does not take effect for several years there is sufficient time for Indiana’s legislature to amend or modify various provisions.

Indiana passed the bill with a number of business-friendly provision. Notably, it only allows enforcement by the Indiana Attorney General following a 30-day cure period to resolve any deficiencies prior to an enforcement action. There is no private right of action.

SB 5 applies to for-profit entities conducting business in Indiana or producing products or services targeted to Hoosiers, that either:

1. Control or process personal data of at least 100,000 Indiana consumers.
2. Control or processes personal data of at least 25,000 Indiana consumers and derives more than 50% of gross revenue from the sale of personal data.

However, SB 5 provides a number of exemptions for certain entities and information including:

• State entities and political subdivisions of the state
• Financial institutions subject to the Gramm-Leach Bliley Act (GLBA)
• Covered entities or business associates governed by Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Nonprofit organizations; higher education institutions
• Information governed by Fair Credit Reporting Act (FCRA)
• Personal data governed by Family Educational Rights and Privacy Act (FERPA)
• Public utilities

Notably, if a controller complies with the Children’s Online Privacy Protection Act (COPPA), the controller is deemed compliant with obligations under SB 5.

Similar to data protection laws being passed in other states (e.g., Tennessee), SB 5 grants Hoosiers several data protection rights including the right to know whether a controller is processing personal data, a right to access personal data, the right to delete personal data, the right to correct inaccuracies, the right to obtain a portable copy of personal data, the right of opt out of processing data for purposes of targeted advertising, sale of data and “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects,” meaning decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services or access to basic necessities.

Indiana further requires covered businesses to provide information to consumers via a privacy notice of:

1. The categories of personal information collected
2. Purposes for processing personal data
3. How to exercise the consumer rights created under the bill
4. The categories of personal information that are shared with third parties
5. The categories of third parties that will receive the personal information

As noted above, SB 5 does not provide a private right of action and may only be enforced by the Indiana Attorney General. Prior to initiating an enforcement action, the AG shall provide the business with a 30-day written notice identifying the specific provisions that the AG alleges have been violated. If the entity does not cure the deficiency within 30 days, the AG may pursue an enforcement action and potential impose civil penalties of up to $7,500 per violation.

Finally, SB 5 provides that the Attorney General may establish (but does not require) a list of resources for controllers, such as sample privacy notices and disclosures, to assist in compliance with the new law.

For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates.

• Click here for information on Iowa’s recent legislative update 
• Click here for information on Tennessee’s recent legislative update